[Dshield] SSH bruteforce with logname "lp"

jayjwa jayjwa at atr2.ath.cx
Tue Jul 1 17:55:16 GMT 2008



On Mon, 30 Jun 2008, Shaun wrote:

-> I'm seeing a large surge in SSH attempts this morning. Large, as in,
-> more than 10% of the hosts I've blocked for bruteforcing all year are
-> from today.
-> 
-> They're coming from a variety of different sources (mostly APNIC, no
-> surprise), but all are using "lp" as their attempted login. Haven't seen
-> this particular pattern before. Curious whether anyone else is getting
-> the same thing, or if this is some sort of targeted attack.

I'm not recording alot of hits to tcp/22, but my ssh is not there anymore 
anyways. "lp" is sometimes a system account, maybe someone is looking for 
system accounts left open. I've seen that, and other system accounts, tried 
before.


2008-07-01T07:22:51-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= SRC=76.76.18.11 DST=64.179.15.222 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=45559 PROTO=TCP SPT=22485 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
2008-07-01T08:14:50-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34293 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
2008-07-01T08:14:53-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= SRC=24.118.246.112 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34294 DF PROTO=TCP SPT=56344 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
2008-07-01T10:48:15-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=26692 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
2008-07-01T10:48:18-04:00 atr2 kernel: Ssh Scan: IN=ppp0 OUT= MAC= SRC=211.245.23.143 DST=64.179.15.222 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=26693 DF PROTO=TCP SPT=41670 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0



Ssh bruteforces have been going on a long time now. Maybe this is 'attack 
history' week? ;) I captured what look to be some really old unicode & webdav 
IIS exploits earlier in the week:

ftp://atr2.ath.cx/pub/file_hosting/packet_captures/bot-exploit-attempts-tcp80.cap



More information about the list mailing list